Proceedings on Privacy Enhancing Technologies ; 2017 (1):1–18 Stephan Heuser, Bradley Reaves, Praveen Kumar Pendyala, Henry Carter, Alexandra Dmitrienko, William Enck, Negar Kiyavash, Ahmad-Reza Sadeghi, and Patrick Traynor Phonion: Practical Protection of Metadata in Telephony Networks Abstract: The majority of people across the globe rely 1 Introduction on telephony networks as their primary means of com- munication. As such, many of the most sensitive per- Telecommunication companies record network use by sonal, corporate and government related communica- individual customers via Call Data Records (CDRs). tions pass through these systems every day. Unsurpris- CDRs contain important metadata ranging from call ingly, such connections are subject to a wide range of source and destination to duration of the connection and attacks. Of increasing concern is the use of metadata the route through the telephony network. Such meta- contained in Call Detail Records (CDRs), which contain data have most recently been associated with large-scale source, destination, start time and duration of a call. collection campaigns by intelligence agencies [24]. While This information is potentially dangerous as the very these organizations often assert that such programs are act of two parties communicating can reveal significant necessary to prevent crime and terrorism, privacy advo- details about their relationship and put them in the cates argue that the complete cataloging of telephony focus of targeted observation or surveillance, which is metadata erodes civil liberties. For example, oppressive highly critical especially for journalists and activists. regimes can use CDR analysis to identify and harass To address this problem, we develop the Phonion archi- freedom fighters in civil war zones, such as Syria. How- tecture to frustrate such attacks by separating call setup ever, what researchers and policy makers have failed to functions from call delivery. Specifically, Phonion allows consider is that a range of other adversaries may also users to preemptively establish call circuits across mul- use CDRs to violate the privacy of targeted individuals. tiple providers and technologies before dialing into the In 2006, for example, detectives hired by executives at circuit and does not require constant Internet connec- Hewlett-Packard were able to use social engineering to tivity. Since no single carrier can determine the ultimate acquire phone records and determine the identity of an destination of the call, it provides unlinkability for its anonymous corporate board member who leaked sen- users and helps them to avoid passive surveillance. We sitive information to journalists [33]. Such attacks are define and discuss a range of adversary classes and ana- not limited to private detectives, but have also been exe- lyze why current obfuscation technologies fail to protect cuted by jealous spouses [2], curious neighbors [58], com- users against such metadata attacks. In our extensive panies paying for employee cell phones [11] and rogue evaluation we further analyze advanced anonymity tech- employees of cellular network providers [22, 53]. In 2011, nologies (e.g., VoIP over Tor), which do not preserve our major security flaws in Vodafone’s data system were re- functional requirements for high voice quality in the ab- sence of constant broadband Internet connectivity and compatibility with landline and feature phones. Pho- nion is the first practical system to provide guarantees Praveen Kumar Pendyala: TU Darmstadt, E-mail: of unlinkable communication against a range of practi- [email protected] cal adversaries in telephony systems. Henry Carter: Villanova University, E-mail: [email protected] Keywords: Metadata protection, anonymous telephony, Alexandra Dmitrienko: ETH Zurich, E-mail: alexan- privacy-preserving communications [email protected] William Enck: North Carolina State University, E-mail: Received 2017-05-31; revised 2017-08-01; accepted 2017-08-01. [email protected] Negar Kiyavash: University of Illinois, E-mail: [email protected] Ahmad-Reza Sadeghi: Intel CRI-SC and TU Darmstadt Stephan Heuser: Intel CRI-SC and TU Darmstadt, E-mail: E-mail: [email protected] [email protected] Patrick Traynor: University of Florida, E-mail: Bradley Reaves: University of Florida, E-mail: [email protected]fl.edu reaves@ufl.edu Phonion: Practical Protection of Metadata in Telephony Networks 2 ported, which resulted in CDRs of millions of customers – Security analysis and comparison against a range being available on the Internet [44]. of proposed alternatives: We analyze privacy guar- These threats have motivated academic research to antees provided by Phonion (cf. Section 6) and dis- develop anonymous voice communication systems. The cuss important deployment considerations (cf. Sec- most common and well-studied approach is the use of tion 7). We further compare our solution to alter- Voice over IP (VoIP) telephony in combination with native approaches ranging from Caller ID suppres- low-latency anonymization networks, such as Tor [21]. sion to “burner” phones that are only used a small While Tor is widely believed to provide reasonable number of times (cf. Section 8). To the best of our anonymity guarantees, there are situations where its knowledge, our analysis for the first time shows that shortcomings prohibit adoption. First, compared to the the current state of the art fails to address all but telephony network, Tor relays are more susceptible to the simplest adversaries and fails to scale. congestion, which negatively impacts voice quality. Sec- ond, VoIP over Tor mandates constant high-bandwidth Note: We stress that our main contribution lies in pro- Internet connectivity for both caller and callee, which tecting users against CDR analysis by routing calls is not always reasonable, for example in rural areas or across a network of multiple independent telephony re- in developing countries. Finally, in many cases, sensi- lays. We use smart engineering to design and implement tive communications must take place over traditional the Phonion architecture, which is a viable alternative telephone systems. This is especially true in journalism, to VoIP over established anonymization networks, that where sources often dictate the use of phone calls [41]. can provide better call fidelity while not relying on con- In this paper, we present Phonion, an alterna- stant broadband Internet connectivity on the caller or tive solution which addresses shortcomings of existing callee side. We, however, neither attempt to replace anonymization networks regarding voice communica- well-studied low-latency anonymization networks, such tion. Phonion routes calls over the telephony infrastruc- as Tor, nor claim stronger anonymity properties. Indeed, ture and achieves high quality of calls while obfuscating our solution leverages Tor once during the initial call call data records. Our architecture generates alias tele- circuit setup, but never routes actual call contents via phony numbers for its users and does not require In- Tor. ternet connectivity during calls. Phonion is compatible with a wide variety of end user devices – ranging from rotary phones to VoIP clients – and resilient to compro- 2 System and Security Model mise of (a number of) telephony network operators. In particular, we make the following contributions: The primary objective of Phonion is to provide call un- – Design of Phonion: We define the spectrum of ad- linkability. That is, Phonion prevents an adversary from versaries (cf. Section 2) and design the Phonion sys- identifying that specific pairs of users communicated tem of loosely cooperating telephony services to es- with each other via the Phonion architecture. tablish and relay calls so that the source and desti- nation of a call are unlinkable using CDR analysis (cf. Section 3). Our contribution lies in combining 2.1 Overview existing technologies in a novel way to create an out- of-band signaling overlay network and phone call We first start with a simple use case example of how forwarding infrastructure. the Phonion network can be used. We briefly describe – Implementation and extensive evaluation: We pro- the components of Phonion network and will present its vide a full implementation of Phonion which sup- detailed design and implementation in Sections 3 and 4. ports various telephony technologies and is compati- Suppose Alice is a police officer, and she has discovered ble with a vast diversity of end-user devices, ranging that a few “bad apples” in her department are routinely from rotary phones to VoIP clients (cf. Section 4). violating the civil rights of innocent citizens. She wants We intend to make our implementation available to inform someone, but she fears that she could lose to the research community. We evaluate our im- her job or face severe harassment if she talks to supe- plementation using professional industry-standard riors. By serendipity, at a police department fundraiser voice quality analysis tools and metrics to demon- she meets Bob, a journalist. That night, she pulls Bob strate that Phonion maintains call fidelity when aside and asks if she could call him anonymously with compared to standard phone calls (cf. Section 5). Phonion: Practical Protection of Metadata in Telephony Networks 3 f&-' f&-' f&-' A significant advantage of Phonion over purely VoIP based solutions, such as VoIP over Tor, is that Phonion (n¾ (n¾ (n¾ I#$9Ŷ 9@-Ŷ 9@- 9@-Ŷ 9@- supports a wide variety of telephony endpoints, such 9@-ŶI#$9 9@-ŶI#$9 I#$9Ŷ 9@- as cellphones, smartphones, landline phones, or even f&-' f&-' f&-' a desktop or mobile computing platform using VoIP software. This feature will especially be appreciated by (n¾ (n¾ users who are comfortable with standard telephony, but 9@-Ŷ 9@- (n¾ I#$9Ŷ 9@- 9@-ŶI#$9 9@-Ŷ 9@- 9@- Ŷ 9@- less familiar with VoIP technology. I#$9Ŷ 9@- 9@- Ŷ I#$9 fť 2.2 Adversary Model n % We first specify assumptions on adversary capabilities f-¯ ť f-¯ ť 9°°-¯ ť and then define four distinct adversary classes with in- creasing capabilities. We will use these classes in Sec- Fig.